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AN INTEGRATED CIRCUIT DEVICE MADE SECURE 
BY MEANS OF ADDITIONAL BUS LINES 

FIELD OF THE INVENTION 

The invention relates to integrated circuit devices for 
incorporation in portable articles, and in particular in portable 
articles having the smart card format. 

BACKGROUND OF THE INVENTION 

Smart cards are generally used in applications where it is 
essential for confidential data to be stored and processed in a 
secure manner. For example, such cards can be used for 
applications in the fields of health, and pay TV, or indeed as 
"electronic purses". 

They comprise a plastic card body in which an integrated 
circuit device is incorporated. The device is either an 
electronics module including an integrated circuit chip or the 
integrated circuit chip itself. 

An integrated circuit chip typically includes a central 
processor unit (CPU) which uses bus lines to control and 
distribute data and addresses involving storage in memories of 
said chip that may be volatile or non-volatile. 

The logic gates constituting the integrated circuits are 
made with CMOS technology. They are constituted by PMOS 
transistors and by NMOS transistors. The gates draw current 
whenever the transistors change from a conductive state to a 
non- conductive state, or vice versa. Furthermore, the 
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connections between the gates, in particular the bus lines, 
constitute capacitances which likewise draw electrical current 
while they are being charged. This applies in particular when 
the bus lines are required to carry logic state 1. 
5 Thus, the current drawn by an integrated circuit device as a 

function of time varies depending on the tasks performed by such 
device . 

Monitoring current as a function of time thus provides an 
electrical signature representative of the activity of the 
10 integrated circuit device. By analyzing the electrical 
:; ~ signature, and more specifically analyzing its amplitude as a 

function of time, this can reveal information about that 
Ij: activity. Such analysis enables attackers to gain access to 
ffl confidential information, e.g. secret keys, that are carried by 
fcs the bus lines and that are contained in the memories of the 
Qi integrated circuit, or indeed to follow the flow of instructions 
|M : opening the way to attack secrets by analyzing times that are 
:jh; characteristic of the current drawn by the integrated circuit 

during a transaction. 
2 0 For the purpose of avoiding signatures being analyzed in 

this way, some methods in the state of the art propose using 
algorithms that enable operations to be triggered at instants 
that are pseudo- random. Other methods propose generating noisy 
power supply currents that are rich in random information, or 
25 indeed in erroneous operations. 
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The above-mentioned methods in the state of the art suffer 
from numerous drawbacks. In particular, they monopolize certain 
resources of the device which could be used for performing other 
operations. In addition, such methods are not reliable since 
5 techniques for analyzing the current drawn in sequences 

stimulated by particular commands are highly effective. They 
make it possible to ultimately obtain the looked- for confidential 
information . 

SUMMARY OF THE INVENTION 
H) One object of the present invention is to make confidential 

J~| data stored in memory more secure by making analysis of the 

electrical signatures of integrated circuit devices more 
^ difficult. 

^ This and other objects are attained in accordance with one 

f& aspect of the invention which is directed to an integrated 
|M= circuit device adapted to be incorporated in a portable article 
:gyi having a memory, in particular an article of a card format. The 
device comprises a central processor unit; at least one memory; 
at least one data input /output pad; n address bus lines 
20 connecting the central processor unit to the memory and/or to the 
input/output pad to carry address bits; and p data bus lines 
connecting the central processor unit to the memory and/or to the 
input/output pad for conveying data bits. At least one line from 
the address bus lines and the data bus lines is associated with 
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an additional line for conveying bits that are complementary to 
the bits conveyed over the at least one line. 

Thus, by transferring two data items, e.g. 1 on one data (or 
address) bus line and 0 on its corresponding additional line, the 
same amount of current is drawn as would be drawn by transferring 
a data pair comprising 0 on the same data (or address) bus line 
and 1 on its corresponding additional line. As a result, the 
current drawn is always the same and it is no longer possible to 
determine the nature of the bits transported on the bus lines by 
analyzing the electrical signature of the device in operation. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention will be better understood on reading the 
following non- limiting explanation taken together with reference 
to the accompanying drawings, in which: 

Figure 1 is a plan view of an electronics module having an 
integrated circuit chip whose contact areas are flush with the 
surface of a card body; 

Figure 2 is a plan view of an integrated circuit chip and 
its connection pads; 

Figure 3 is a schematic circuit diagram showing the various 
functional elements constituting an integrated circuit 
implemented in accordance with the invention; 

Figure 4 is a cross -section taken through a bus line 
deposited on the silicon substrate of an integrated circuit chip; 

-4- 



o . o 



Figure 5 is a more detailed depiction of the embodiment of 
Fig. 3, and shows a circuit diagram of the bus line connections 
and the additional line connections to the ROM and EE PROM 
memories ; and 

5 Figure 6 has three graphs to show the currents drawn by- 

using a bus line, its additional line, and the assembly comprised 
by both of said lines. 

DETAILED DESCRIPTION OF THE INVENTION 

By way of example, the present invention is described with a 
3Up specific application to smart cards. Nevertheless, it will be 
~| understood that the invention applies generally to any integrated 

circuit device that is designed to be incorporated in a portable 
W article having a memory, such as a subscriber identity module 
IH : (SIM) in the format for cell phones, or an electronic label. 

£5 Smart cards are standard portable articles that operate with 

I** or without making physical contact and that are defined, in 
■k particular, in ISO standards 78-10, 78-16, and 14443, the content 

of which is hereby incorporated by reference. 

Thus, as can be seen more clearly in Figures 1 and 2, 
2 0 cards 1 that operate by means of physical contact comprise a 

respective integrated circuit chip 2 having at least five contact 

pads 3, 4, 5, 6, and 7 which are electrically connected via wires 
(not shown) respectively to five contact areas 8, 9, 10, 11, and 

12 that are flush with the surface of a card body 13 . A Reset 
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contact pad 3 is connected to a Reset contact area 8, a Clock 
contact pad 4 is connected to a Clock contact area 9, a Vss 
contact pad 5 is connected to a Vss contact area 10, an 
input/output (I/O) contact pad 6 is connected to an I/O contact 
5 area 11, and an Idd contact pad 7 is connected to a Idd contact 
area 12 . 

The assembly comprising the chip 2, the conductor wires, and 
the contact areas 8, 9, 10, 11, and 12, generally comprises an 
electronics module 14 which is incorporated in the card body 13 . 
10 The integrated circuit device of the invention is 

^ specifically the electronics module 14 carrying the areas 8, 9, 
jS j io, 11, and 12, and including the chip 2, or else it is the chip 
* 2 itself. 

P The integrated circuit of the device of the invention has 

li 

1^5 various functional units. In particular, it has a central 

O processor unit CPU, volatile memory RAM, and/or non-volatile 

|y : memory ROM, EE PROM . It may have other units or subunits for said 

jg units, for example a crypto-processor intended more particularly 

for cryptographic encoding of data and requiring specialized 
20 calculation structures. 

In addition, the integrated circuit has an address bus AB 

and a data bus DB (see Fig. 3). 

The address bus AB has n address bus lines connecting the 

CPU to the memories RAM, ROM, EEPROM, and to the I/O pad, where 
25 n is an integer number greater than or equal to 1 . In Figure 3, 
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n is equal to 16, and the 16 address bus lines are referenced A 0/ 
A x , . . . / A 15 . 

The data bus DB comprises p data bus lines connecting the 
CPU to the memories RAM, ROM, EE PROM, and to the I/O pad, where p 
5 is an integer number greater than or equal to 1 . In Figure 3, p 
is equal to 8 and the eight bus data lines are referenced D 0 , 
D x , . . . , D 7 . 

Each address bus line A 0/ A lt . .., A 15 can carry a logic 
value 0 or a logic value 1 representing a bit of determined 
10 weight in an address that is encoded on 16 bits. The bit is 
? ~* conveyed in one direction only from the CPU to the memories RAM, 
'fZ ROM and EE PROM, or the I/O pad, as appropriate. 

Each data bus line D 0 , D 1# . . . , D 7 is capable of conveying a 
2: logic value 0 or a logic value 1 constituting a bit of determined 
ft weight in a data item encoded on 8 bits. This takes place, 
S depending on circumstances, in one direction only, or in both 
IM : directions. The possible directions in which a bit can be 
yj! conveyed are indicated by arrows in Figure 3 . 

The address bus 1 ines A 0 , A x/ . . . , A 15 , and the data bus 
20 lines D 0 , D 17 D 7 are conductor lines constituted by a 

metallized layer 24 deposited on a thick layer of silicon oxide 
20 itself deposited on the silicon substrate 21 of the chip 2. 
As can be seen in Figure 4, the thickness of a bus line is on the 
order of microns, e.g. 0.7 /im. The width of a bus line is also 
25 very small, e.g., about 2 fim. The length of a line can be 
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considerable, as much as 8 mm. Under such circumstances, the 
area of a bus line is on the order of 2 x 8000 = 16,000 /im 2 . 

According to the invention, at least one address bus line 
A 0 , A lt . . . , A 15 or at least one data bus line D 0 , D 1# . . . , D 7 is 
associated with an additional bus line. 

In the preferred embodiment of the invention as shown in 
Figure 3, all 16 address bus lines A 0/ A 1 , . .., A 15 and all eight 
data bus lines D 0 , D lt . .., D 7 are associated respectively with 16 
additional lines A' 0 , A' 1# A' 15 and eight additional lines 

As an example, each additional bus line is constituted like 
the bus line with which it is associated, by a metallized layer 
deposited on the thick oxide 20 of the silicon substrate 21 of 
the chip, immediately beside the line with which it is 
associated, and therefore it follows the same path over the 
active face of the circuit. Also, each additional bus line is of 
an area that is equivalent to that of the address bus line or the 
data bus line with which it is associated. 

In other examples, the additional lines do not follow the 
same paths as the bus lines with which they are associated, but 
they nevertheless have a capacitance C' bus which approximate the 
capacitance C bus of the bus lines. 

The address bus lines A 0 , A 1# A 15 and the data bus lines 

D 0 , D lf .../ D 7 are, like the additional bus lines A' 0/ A' lf 
A' 15 and D' 0 , D' lf D' 7 electrically connected to the 
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functional units with which they are associated by dual 
three-state amplifiers 15. This is illustrated in Fig. 5 only 
with respect to data bus line D 0 and additional bus line D' 0 for 
the sake of simplifying the explanation. These dual three- state 
5 amplifiers 15 have gates which controllably connect the bus lines 
to the functional units with which they are associated, e.g. the 
ROM and the EE PROM . 

As shown in Fig. 5, the output signal 3 0 of the EE PROM is 
provided as a direct input to NAND gate 32 and also to AND gate 
10 34 via inverter 36. The other input to both of the NAND gate and 
jsas . the AND gate is the ENEE signal (discussed below) . A similar 
ft arrangement is shown in Fig. 5 for the ROM output signal 40 and 
signal ENR (discussed below) . The descriptive explanation which 
follows pertains only to the EE PROM in the interest of brevity. 

A dual three-state amplifier 15 of the invention includes a 
© first PMOS transistor 16 connected in series with a first NMOS 
|M transistor 17 between power source V cc and GND, and also a second 
hfji PMOS transistor 18 connected in series with the second NMOS 

transistor 19. The first PMOS transistor 16 and the second NMOS 
20 transistor 19 are controlled by the same control signals at the 
output of AND gate 34, and the first NMOS transistor 17 and the 
second PMOS transistor 18 are controlled by the same control 
signals at the output of NAND gate 32. 

In Figure 5, the control signals ENR (ENABLE ROM) and ENEE 
25 (ENABLE EE PROM) are shown. These are conventional, CPU-generated 
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signals typically available in a ROM and EEPROM which 
respectively control access to the bus lines connected to the 
memory ROM and to the memory EEPROM. Only one of these control 
signals is active at any given time. Thus, when the control 
5 signal ENR is active (i.e., when a logic 1 is sent through the 

line corresponding to ENR) , only the dual three-state amplifiers 
for the ROM are capable of circulating data or addresses coming 
in or going out of the ROM (e.g., imparting their 0 or 1 logic 
signals to the bus lines or to the additional bus lines with 
10 which the ROM is connected) . The same goes for the ENEE control 
-s, signal. Under such circumstances (i.e., when ENR is a logic 1 
^: and, therefore, ENEE is a logic 0) , every dual three -state 
j ;f amplifier 15 connected to the EEPROM memory is in a high 
P impedance mode to "disconnect 11 it from the bus lines D 0 and D' 0 
fe because none of the transistors of this amplifier is conductive. 
O Conversely, when the control signal ENEE is active (i.e, ENEE is 
|p a logic 1) , only the dual three-state amplifiers associated with 
■k the EEPROM are in a position to impart their 0 or 1 logic signals 

on output 3 0 to the bus lines or the additional bus lines with 
20 which the EEPROM is associated. Under such circumstances, every 
three-state amplifier 15 connected to the ROM memory is in a high 
impedance state because none of the transistors in such amplifier 
is conductive . 

By way of example, when the signal ENEE is active and the 
25 signal 30 from the EEPROM memory is at logic level 1, the voltage 
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on the data bus D 0 will be a logic level 1 and the voltage on the 
additional data bus D' 0 will be a logic level 0. Thus, a 1 data 
bit on output line 3 0 is transmitted to the bus line D 0 while a 0 
data bit, complementary to the above-mentioned 1 data bit, is 
5 simultaneously provided at the additional bus line D' 0 . 

The above -explained arrangement is not only applied to all 
of the data bus lines D 0/ D 1; . . . , D 7 associated with the 
additional lines D' 0/ D' 1# D' 7/ but also to all of the 

address bus lines A 0/ A 1# . . . , A 15 associated with the additional 
10 lines A' 0 , A' x , . .., A' 15 . 

_ Thus, for each logical data or address item respectively 

carried by the bus DB or the bus AB, a complementary logical data 

'•'.Trip 

W or address item is carried simultaneously by the additional bus. 
IM Let a be the number of 1 bits on the data bus. Let b be the 
Its number of 1 bits on the additional data bus. For an 8-bit 

|2i microcontroller, the data bus has 8 bits. Thus, the number of 1 

«. 

•%? : - 

bits on the data bus as a whole is such that a + b = 8 . Let c be 
% the number of 1 bits for the address bus. Let d be the number of 
" 1 bits for the additional address bus. For a microcontroller 

20 capable of addressing 65536 bytes, the address bus has 16 bits. 

Thus, the number of 1 bits for the address bus as a whole is such 

that c + d = 16. 

By way of example, we consider an instruction whose binary 

code is 10011101, and whose hexadecimal code is 9D. Each of the 
25 8 bits is carried simultaneously, depending on its significance, 
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over a respective data bus line D 0 , D lf D 2 , D 3/ D 4 , D 5/ D 6/ or D 7/ 
and the complementary logic number, in this case constituted by 
the 8 bits 01100010 is likewise carried simultaneously by the 
respective additional lines D'0, D'l, D'2, D'3, D'4, D'5, D'6, 
and D'7. The total number of 1 bits making up the logic word 
10011101 and making up its complement 01100010 is equal to 8. 

An advantage of the device of the invention is described in 
detail below. 

In an integrated circuit device of the prior art or of the 
invention, the area of the bus lines integrated in the active 
face of the chip 2 is, as mentioned above (Figure 4) , liable to 
be as much as 16,000 /xm 2 . These lines constitute the first 
electrode of a parasitic capacitance C bus/ where the second 
electrode is the substrate 21 of the integrated circuit and the 
dielectric is the layer of silicon oxide 20 deposited on the 
active face of the chip 2 . The parasitic capacitance C bus 
associated with each bus line is of picofarad order, and each 
time a 1 bit is carried by a bus line, this capacitance C bus 
consumes electrical power as it charges. This electrical power 
consumption is the origin of the variations in current 
consumption by the integrated circuit as a function of time 
Idd(t), and analyzing such current consumption provides an 
electrical signature that reveals the activity of the circuit. 

In the prior art device, analyzing electrical signatures 
gives access to information, data or addresses, as carried by the 
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bus lines since the current Idd(t) from the source of Vcc is a 
function of the bits carried. 

In contrast, in an integrated circuit device of the 
invention, current consumption Idd(t) is independent of the data 
5 or the address carried by the bus lines. This current Idd(t) is 
constituted by summing the currents drawn by the conventional bus 
lines and by the additional bus lines, and that is equal to a 
constant when the capacitances C' bus of the additional bus lines 
are equivalent to the capacitances C bug of the bus lines with 

10 which they are associated, as in an advantageous embodiment of 

^ the invention. 

!:~: For example, as shown in Figure 6 which relates to the 

^f! transmission of data bits on data line D 0 , Idd(t) = Idd D0(t) + 
5 Idd DO' (t) , regardless of the particular bits carried by data 
b5 line D 0 . Idd DO (t) and Idd DO' (t) are shown in Fig. 5 to flow, 
O respectively, through bus lines D 0 and D' 0 . 

M. Although preferred embodiments of the invention have been 

iM disclosed in detail herein, it should be understood that various 
modifications thereto will be readily apparent to anyone with 

20 ordinary skill in the art. For example, the integrated circuit 
device can be provided with additional means for the purpose of 
guaranteeing complete security of any confidential information it 
may contain. This and other modifications are intended to fall 
within the scope of the present invention as defined by the 

25 following claims. 
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